2

I am planning to set X-Frame-Options SAMEORIGIN in my server's httpd.conf as part of improving the defenses against click jacking. I understand this will add the X-Frame-Options header to all pages. There is a "widget" page that I would like to exempt from this (other sites will display this page inside an IFRAME).

Is there a way to configure Apache 2 to not send the header for a specific page alone?

Manoj Govindan
  • 123
  • 1
  • 1
  • 4

2 Answers2

3

Yes, use SetEnvIf:

SetEnvIf Request_URI "^/my_awesome_widget_page.html$" iframes_are_cool
Header set X-Frame-Options SAMEORIGIN env=!iframes_are_cool
Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
0

You can unset the X-Frame-Options header in a .htaccess file (assuming your widget is in its own subdirectory):

Header always unset X-Frame-Options
cherdt
  • 335
  • 1
  • 3
  • 12